I want to sign Android app with the same certificate used for the desktop app. I have 3 files - .cer, .p12 and .pfx. Is it possible to use any of those for signing Android app?
Update: I have successfully imported the .cer key (which appears to be X.509-format certificate) into the newly created keystore, but I can't use it for signing. Here's the error message jarsigner gives me:
Certificate chain not found for: [alias]. key must reference a valid
KeyStore key entry containing a private key and corresponding public
key certificate chain.
Perhaps, there's something else I must do with a keystore after importing the certificate to make it valid? Generate a public key or something?
Did you create the keystore with -validity then this issue will appear, remove the -validity. It will work.
keytool -importkeystore -srckeystore certificate/xxxxx.pfx -srcstoretype pkcs12 -destkeystore certificate/xxxxx.keystore -deststoretype JKS **-validity 36500**
Change to
keytool -importkeystore -srckeystore certificate/xxxxx.pfx -srcstoretype pkcs12 -destkeystore certificate/xxxxx.keystore -deststoretype JKS
I had this issue it got sorted because of trying to add validity to a pfx which has valid expiry date.
Related
I get the title and the text below when I try and fail to build an .aab file using flutter build appbundle:
java.util.concurrent.ExecutionException: java.lang.RuntimeException: jarsignerfailed with exit code 1 :
jarsigner: Certificate chain not found for: keystore. keystore must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
I had to reset my signing key. The google developer support had me generate a new .jks file with the following command line which I ran from within my project folder:
keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks
He then instructed me to convert this file into a .pem file using this command:
keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks
I then emailed him the upload_certificate.pem file. I immediately noticed that the keystore.jks file was red in the sidebar and I get this upon clicking on it:
"The file 'keystore.jks' is not associated with any file type. Please define the association:"
The .pem file is also red, but clicking on it shows the text that makes up the key.
Do I need to reset the signing key again and do something different? Is there a way to fix the issue causing this error?
As dumb as this may sound, I spent 24 hours on this and all I had to was enter flutter clean
You have keyAlias=keystore in your key.properties while it looks like the alias you created is named upload (see in your keytool export command).
Repleace with keyAlias=upload and that should work if your password is correct.
I have a .pfx file that I used to generated a keystore file using the following command:
keytool -importkeystore -srckeystore TestCodeSign.pfx -srcstoretype pkcs12
Keytool came back and said 'The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format..."
So I ran the suggested command:
keytool -importkeystore -srckeystore C:\Users\USERNAME\.keystore -destkeystore C:\Users\USERNAME\.keystore -deststoretype pkcs12
I now have the backed up copy, '.old' and the new .keystore file.
In Visual Studio, I create an archive for the release version of my app. Then I click Distribute->Google Play and then hit Import to locate the .keystore file.
But when I import, I get a useless error. I checked the Xamarin.Diagnostics output, I can see another error:
[E:keytool]: ImportKey - System.AggregateException: One or more errors occurred. ---> Xamarin.AndroidTools.AndroidSdkToolException: Importing keystore C:\\Temp\\TestCodeSign.keystore to C:\\Users\\USERNAME\\AppData\\Local\\Xamarin\\Mono for Android\\Keystore\\A\\A.keystore...
And that is it. How can I import an existing pfx file into a keystore and then use that keystore to sign the application for distribution to Google Play?
I generate a .keytore file to test. When I import with the wrong password or alias, it would throw the same error. Please check your password and alias.
If you do not make sure about the alias and password, you could create a new .ketstore file to import for test.
For more details about generate a .keystore file, please refer to the MS docs.
https://learn.microsoft.com/en-us/xamarin/android/deploy-test/signing/?tabs=windows
I received a keystore file from a customer which I am supposed to use to sign an APK that is going to replace/update an existing APK on the play store.
Unfortunately I get the following error:
jarsigner: Certificate chain not found for: alias_name. alias_name must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
When I try to sign the same APK with a different, self-generated keystore, this works fine, so I figured there must be something missing in the keystore.
Keystore-Typ: JKS
Keystore-Provider: SUN
Keystore enthält 1 Eintrag
Aliasname: alias_name
Erstellungsdatum: 19.05.2015
Eintragstyp: PrivateKeyEntry
Zertifikatskettenlänge: 1
Zertifikat[1]:
Eigentümer: (redacted)
Aussteller: (redacted)
Seriennummer: 5152a7xx
Gültig von: Wed Mar 27 09:00:32 CET 2013 bis: Sun Aug 12 10:00:32 CEST 2040
Zertifikat-Fingerprints:
MD5: (bla)
SHA1: (bla)
SHA256: (bla)
Signaturalgorithmusname: SHA1withRSA
Version: 3
*******************************************
*******************************************
When I compare this to a different keystore file, I notice there is an "Extension" missing. What is it, and how do I go about fixing this? Is the file incomplete that I got from my customer?
When I import the .p12 file into my Mac OS X keychain, I can see a private key called alias_name and a certificate; although there is no "certificate chain" or anything.
I tried the following command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore data_dirs/ff.keystore /path/to/QtApp-release-unsigned.apk alias_name
jarsigner: Certificate chain not found for: alias_name. alias_name must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
When you create a keystore, you also create an alias in that keystore with an appropriate password. I assume "alias_name" isnt the name of that alias. You need to ask your client for that name and password to sign the apk with that alias and keystore.
I use
KeyStore store = KeyStore.getInstance("JCEKS");
But is make KeyStoreException
java.security.KeyStoreException: KeyStore JCEKS implementation not found
Reason is default security provider is bouncycastle in Android.
Therefore I use
KeyStore store = KeyStore.getInstance("JCEKS", "SunJCE");
But is make NoSearchProviderException
java.security.NoSearchProviderException: SunJCE
Android does not include the SunJCE security provider and therefore JCEKS is not a supported Keystore type (neither is the older JKS format).
To create a KeyStore you can either choose the BouncyCastle Keystore
KeyStore ks = KeyStore.getInstance("BKS");
or, from Android 4.3, the new AndroidKeyStore based on OpenSSL decdicated to store app-private keys (more details here)
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
And if you have a JCEKS Keystore you will have to convert it to BKS format with keytool:
keytool -importkeystore -srcstoretype JCEKS -srckeystore my.keystore -srckeypass my_password -destprovidername BC -deststoretype BKS -destkeypass my_new_password -destkeystore my.bks
I am having trouble using SSL, as I am getting the following error related to my keystore (self-created and self-signed using keytool per: http://developer.android.com/tools/publishing/app-signing.html):
08-14 20:55:23.044: W/System.err(5430): java.io.IOException: Wrong
version of key store. 08-14 20:55:23.060: W/System.err(5430): at
org.bouncycastle.jce.provider.JDKKeyStore.engineLoad(JDKKeyStore.java:812)
...
The error thrown in the JDKKeyStore.java class arises in the following code:
Blockquote
From JDKKeyStore.java:
if (version != STORE_VERSION)
{
if (version != 0)
{
throw new IOException("Wrong version of key store.");
}
}
Blockquote
In this case STORE_VERSION = 1, and my version=3 based on reading the details of the certificate held by the keystore I have created. I do not know how to generate a keystore containing a version=1 certificate.
I found this answer helpful:
wrong version keystore when doing https call
however it calls for creating the keystore using the following parameters:
-storetype BKS
-provider org.bouncycastle.jce.provider.BouncyCastleProvider
-providerpath /path/to/bouncycastle.jar
However, when I try to create the keytool (using the terminal app on Mac) using these parameters:
keytool -genkeypair -v -alias androiddebugkey -keyalg RSA -keysize
2048 -validity 10000 -keypass android -keystore
/Users/djames/dropbox/bc146keystore/debug.keystore -storepass android
-providerclass org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath /Users/djames/dropbox/bc146keystore/
(where /Users/djames/dropbox/bc146keystore/ is the path to the bouncy castle jar: bcprov-jdk16-146.jar)
I get the following error:
keytool error: java.lang.RuntimeException: Usage error, ?providerpath
is not a legal command java.lang.RuntimeException: Usage error,
?providerpath is not a legal command at
sun.security.tools.KeyTool.parseArgs(KeyTool.java:375) at
sun.security.tools.KeyTool.run(KeyTool.java:171) at
sun.security.tools.KeyTool.main(KeyTool.java:166)
I do not understand what this is telling me. If I use: keytool -help it tells me that the following are valid options for the -genkeypair option:
-genkeypair [-v] [-protected]
[-alias ]
[-keyalg ] [-keysize ]
[-sigalg ] [-dname ]
[-validity ] [-keypass ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
But in the Oracle docs java version 6 that I am using
(http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html)
it tells me that these are the options:
-genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays}
{-storetype storetype} {-keystore keystore} [-storepass storepass]
{-providerClass provider_class_name {-providerArg provider_arg}} {-v}
{-protected} {-Jjavaoption}
which does not include the -providerpath option. Why the discordance?
(If I do not use the -providerpath option, then I get an unknown class exception at the option: "-providerclass org.bouncycastle.jce.provider.BouncyCastleProvider"...)
When I google: keytool -providerpath
I get nothing helpful to resolve this.
I am not sure how to solve my keystore version problem without solving my keytool problem. Any suggestions appreciated.
Jim
(Mac OSX 10.6.8 if relevant)
My problem was using a version of bouncy castle that was too new. I had to use 146 - any later and it gave me this error.
I was able to get past this problem with the version of keystore. see: keytool error when creating BKS keystore: providerpath is not a legal command
The version mismatch is for the key store version, not the certificate version (which should have the value 2 for a v3 X.509 certificate).
What version of the JDK did you use keytool from? Did you specify a full path to the command, or use what was in your PATH? Are you sure that you are using JKS key stores, and not JCEKS stores?
In order to complete Ryan answer as I had to dig in to find out how to generate a BKS with Bouncy Castle 1.46, you can use Portecle to generate the BKS.
Download Boucycastle Provider 1.46
Install or unzip it.
Replace bcprov.jar in your Portecle install directory (example: C:\Program Files (x86)\Portecle\bcprov.jar). Same naming is required.
Restart Portecle and generate your BKS truststore.
This explained here.
Edit:
Since Portecle 1.8, you can use BKS-V1 type to generate your truststore without to replace bcprov.jar.
You can select it after clicking on New keystore or change the type via the menu Tools -> Change KeyStore Type.